Semantic Web - Sharif University of Technologyce.sharif.edu/.../1/ce694-1/...SemanticWebSecurity.pdfAccess Control in Semantic Web Trust in Semantic Web ... 7 Semantic Web Security

��ه �عا�ی

Semantic Web

Morteza Amini

Semantic Web Security

Sharif University of Technology Fall 95-96

Outline

Information Security and Semantic Web

Security Ontology and Its Application

Access Control in Semantic Web

Trust in Semantic Web

Privacy in Semantic Web

Sharif Univ. of Tech. Semantic Web Security - Morteza Amini 2

Outline







Information Security Concepts

Information Security is based on CIA.

Confidentiality: Protecting the information from disclosure to

unauthorized parties.

Integrity: The trustworthiness of data or resources, it’s usually

phrased in terms of preventing improper or unauthorized

modification.

Availability: Ensuring that authorized parties are able to access

the information when needed.

Semantic Web Security - Morteza Amini Sharif Univ. of Tech. 4

Current Web Security

Semantic Web Security - Morteza Amini

User

Web server

HTML Documents

HTTP Request

HTTP Response

AAA: Authentication, Authorization, Accounting

Sharif Univ. of Tech. 5

Semantic Web Security

We need to provide security for three types of entities in

Semantic Web:

Web Resources

Agents

Web Services


Semantic Web Security (Cont.)

Entities can be one of 3 types:

Private -- No other entity has the right to access a private service/agent/resource

Secure -- Only entities that satisfy the associated policy of the secure agent/service/resource have the right to access it

Open -- All entities have the right to access an open resource/service/agent


Current Web Security


User

Semantic Web Server

Semantic Web Resources

Agent

Request for resource

Resource

Other Services

Automatic conversation! What can we do? Where and How can apply security in S.W.?


The Semantic Web Layer Cake


Security in Different Layers


Outline







Security Ontology

Using ontology for specification of Core elements and concepts of security systems Security requirements of users and agents Security capabilities of systems Security policies Objects which are under protection ....


Security Ontology Sample


Merging with Service Profile in DAML-S

(similarly in OWL-S)


Security Ontology Sample (Cont.)

Credentials Ontology


Security Ontology Sample (Cont.)

Credentials Ontology


Some Application of Security Ontology

Formal specification of security requirements/policies for Service/Agent/Web Resource

Formal reasoning about security

Matchmaking of services w.r.t. security requirements: General Match Close Match Possibility of Negotiation No Match


Agent Service This is my Credential

No Match with my Credential Requirements

I’m sorry

They can speak

about security


Outline







Access Control

Access Control Model characterizes the rights of each subject (active entity, such as a process) with respect to every other entity.-- [Matt Bishop, 2003]

Some kinds of Access Control Models: DAC (Discretionary Access Control) MAC (Mandatory Access Control) RBAC (Role-Based Access Control) ABAC (Attribute-Based Access Control)


DAC & MAC Models

Objects (O): The set of all protected entities

Subjects (S): The set of active objects, such as processes and users

Rights (R): The set of possible access rights (actions) of subjects on objects.

DAC (Discretionary Access Control): The owner of the information can define permissions on information (in an access matrix)

MAC (Mandatory Access Control): restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.


Right Objects Subjects O1 O2

S1 + -

S2 - +

B

Secret

Very Confidential

Confidential

Unclassified

s

A


Role-Based Access Control (RBAC)

Role-Based Access [Ferraiolo et al, 2003] is similar to DAC except that instead of identifying a particular user, an access policy is created to allow users of a particular class (i.e. those who play some “role”) to access objects.


Roles Subjects R1 R2

S1

S2

Right Objects Roles O1 O2

R1 + -

R2 - +


Efforts on Access Control in S.W.

Some efforts were done to extend security mechanisms applicable to distributed systems (e.g. Kerberos, PKI, SPKI, etc.) for the semantic web.

Two kinds of Access Control Approach for S.W.: Identity-Based (Traditional Approach)

Attribute(Credential)-Based or Rule-Based or Policy-Based (New Approach) Each resource has its own access policies


Authentication & Identification

Associate Group or Role to Identity

Retrieve Permissions of Group or Role

Fire Access Policy based on Credential

Retrieve Permissions from Access Policy

Reasoning to achieve Needed Credential


Advantages of Rule based Access Control

Can specify dynamic policy rules in order to dynamically change the system security management

Offer maximum freedom and heterogeneity of the components

Can be used to force other security aspects such as Privacy, Obligations, ....

Able to define fine-grained access policies (on individual URIs to instances and classes)


Access Control Challenges in SW

Policy specification in conceptual or individual layer

Fine-grained access control in open environment

Security permissions inheritance (policy propagation) Super Class and Sub Class Property and Sub Property Subsumption, Union, Intersection Restriction

Decentralized access data (policies)

Detection and resolution of conflicts between explicit and implicit policies

Policy composition (e.g., in service composition)


Access Control Models in Semantic Web

W3C ACL - 2004

FGAC: Damiani, et al. - 2002

Rei: Kagal, et al. - 2003

KAoS: Uszok, et al. - 2003

SAIE: Abolhassani, et al. - 2003

SBAC: Javanmardi, et al. - 2006

SAC: Yague, et al. - 2005

SBAC: Naumenko – 2007

MA(DL)2: Amini, et al - 2010


W3C ACL System

Goals: ACLs are designed to express access rules in a logical, unambiguous, machine-accessible format.

Structure: An access system may be divided into: Identity Management

Maintaining identity information. HTTP basic authentication credentials are a form of identity, as are the client machine's IP address and any SSL identity held by the user of that machine.

Group Association Lists of which identities and groups lie within which other groups.

Privilege Management Associating resources or groups of resources with access privileges

and lists of groups or identities enables the resource holder.


W3C ACL System (Cont.)

Semantic Web Implication: A reasonable semantic web query for determining an identity's access privileges would be, for a given resource: Find the ACL rules for that resource. Find all the groups in that ACL. Find all the users in those groups. See if the caller's identity is among them.


(namespace '(a http://localhost/SqlDB# myDb local:/) attach '(\"W3C::Rdf::SqlDB\" (\"properties:/usr/local/perl/modules/Conf/chacl.prop\" \"name:myDb::W3Cacls\")) ask '(myDb::W3Cacls (a::accessTo ?acl http://www.w3.org/Member/Overview.html) (a::access ?acl a::GET) (a::memberOf ?groups \"eric\") (a::accessor ?acl ?groups) ) collect '(?groups ?acl) )


W3C ACL System (Cont.)

ACL Database Schema

uris (id, uri, acl) Associates a uri with a combincation of acls.

acls (acl, id, access) Unique combinations of ACL rules

hierarchy (sub, super, sponsor, stops) Associate identities or groups to groups

idInclusions (id, groupId, generation) Maintains the transitive closure of hierarchy


FGAC: Fine-Grained Access Control

FGAC [E. Damiani, 2000-2002]

Fine-grained access control based on XML structure

An access rule could be applied locally or propagated recursively based on XML hierarchy


{ }{ }

Access Authorization: , , , , is identified by URI or XPath

,

,

subject object action sign typeobjectsign

type local recursive

∈ + −

∈


Policy based Security in Semantic Web

Policy specification languages for Semantic Web

Ponder [Damianou, et. al., 2000] KAoS [Bradshaw, Uszok, e. al., 2001-2003]

Developed in Institute for Human and Machine Cognition (IHMC), Univ.

Rei [Kagal, Finin, et. al., 2002-2003]

Developed in UMBC


Based on Ontology Languages


Types of Security Policy for S.W.

Policy language can cover following types of security policies for semantic web security.

Access Policies: policies about accessing web entities Delegation Policies Refrain Policies Obligation Policies

Privacy Policies: policies about accessing user’s private information

Conversation Policies: policies about S.W. entities conversation (security requirements for conversation)

Meta Policies: policies about policies Policy Priority policies Policy Harmonization Policies


KAoS P.L. based System

KAoS Core Ontology (KPO): Rely on DAML DL-based ontology of the computational

environment Defines basic ontologies for actions, actors, groups, places,

various entities related to actions (e.g. computing resources), and policies

Supports following types of policies: Authorization Encryption Access and Resource Control Various forms of Obligation Agent Conversation Mobility Domain Registration


Just for Security


Example Policy Using KAoS P.L.

Members of domain called Arabello-HQ are forbidden to communicate with the outside of this domain using unencrypted communication.


KAoS Policy Conflict Resolution

Authorization Policy: Authorized or Forbidden to do some actions

Obligation Policy: Required or Not-Required to do some actions

Types of policy conflict:

Positive vs. Negative Authorization:

Being simultaneously permitted and forbidden from performing some actions.

Positive vs. Negative Obligation:

Being both required and not required to perform

some action.

Positive Obligation vs. Negative Authorization:

Being required to perform a forbidden action.


KAoS Policy Conflict Resolution (Cont.)

Policy precedence conditions: is needed to properly execute the automatic conflict resolution. Some conditions are: Priority Update Time: New policies have higher priority Relative authorities of individual who defined or imposed a policy The Scope of Policy: Subdomains takes precedence over superdomains

or vise versa

Steps in policy conflict resolution using Stanford’s Java Theorem Prover (JTP): Sort policies based on user-defined criteria. For each policy check the conflict with policies with lower priority. Remove the lower priority policy from the conflicting pair of policies. Do harmonization. It may generate zero, one or several new policies to

replace the removed policy. The newly policies inherit the precedence and the time of last update

from the removed policy.


Policy Harmonization

If P1 and P4 are two Cartesian products defined as: P1 = D11 x D12 x …. x D1n P4 = D41 x D42 x …. x D4n

then P1\P4 = subP1 ∪ subP2 ∪ … ∪ subPn

where subPk = (D11 ∩ D41) x ... x (D1(k-1) ∩ D4(k-1)) x (D1k \ D4k) x D1(k+1) x .. x D1n


KAoS Policy Administration Tool (KPAT)


Rei: A Policy Language

A declarative policy language for describing policies over actions

Represented in RDF-S + logic like variables

Based on deontic concepts and speech acts

Possible to write Rei policies over ontologies in other semantic web languages

Different kinds of policies Security, privacy, conversation, etc.


Delegation Revocation Request Cancel

Right Prohibition Obligation Dispensation


Deontic Concepts & Speech Acts

Deontic Logic Concepts: can be used to describe properties of agents domain specific conditions in terms of: Right (Permission): What an agent can do Prohibition: What an agent can not do Obligation: What an agent should do Dispensation: What an agent need no longer do

Speech Acts: can be used to extend the policies Delegation: Add a permission Revocation: Remove a permission or add a prohibition Request: Causes an action to be performed or causes a delegation

which leads to a permission Cancel: Cancels previous request


Rei Specifications

Policy Properties: Context, Default Policy, Grants

Deontic objects Rights, Prohibitions, Obligations, Dispensations Properties : Actor, Action, Constraints

Actions Properties: Actor, Target objects, PreConditions, Effects Composite actions: Seq, Choice, Once, Repetition

Speech Acts Delegation, Revocation, Request, Cancel Properties: Sender, Receiver, Deontic object/Action Used to modify policies

Meta Policies Setting priorities between policies or rules Setting modality precedence


Rei Example Policy

All graduate students have the right to delegate a printing action on the HPPrinter in SUT to any undergraduate student

Logic Right(Grad, delegate(UnderGrad, right(print(sut-hpprinter))),

Constraints). Constraints = student(Grad, graduateStudent), student(UnderGrad, undergraduateStudent)


Rei Example Policy (Cont.)


:policy a rei:Policy; rei:grants [a rei:granting; rei:to s; rei:deontic R; rei:oncondition [a rei:SimpleCondition; rei:subject s; rei:predicate rdf:type; rei:object univ:GradStudent]

:s a rei:Variable.

:r a rei:Variable.

:R a rei:Right;

rei:agent rei:s;

rei:action [a rei:Delegate;

rei:Sender s; rei:Receiver r;

rei:Content [ a univ:PrintingAction;

rei:target sut:HPPrinter];

rei:constraints[a rei:SimpleCondition;

rei:subject r;

rei:predicate rdf:type;

rei:object univ:UndergradStudent].


Security Aware Inference Engine

SAIE [Abolhassani, et al. – 2005]

Add Security at the level of inference engine

Security model is described by D.L.

We need to add security check in tableau algorithm



Adding security semantics to expansion rules of Tableau Algorithm



Security added Tableau Algorithm: This algorithm works based on expansion (completion) rules A tree is expanded starting from the original statement (i.e.

Query) A branch closes

in case of clash (i.e. C and ~C in the same node) in case of “security violation”

Algorithm terminates if no completion rule is applicable

It can infer security policies for complex concepts from the primitive ones; however, cannot infer the vice versa.


SBAC: Semantic Based Access Control

SBAC [Javanmardi, Amini 2006]

Conceptual (Ontology) Level Access Control Based on the ontology of subjects, objects, and actions Reducing all semantic relationships to the subsumption Access rule propagation based on subsumption relationships in

subject, object, and action domains.


{ }{ }{ }( ){ }{ }

, ,

, , , , , , , , ,

, ,

, ,Re

C T A R A R

SBAC OB AB Opr

OB Ont Ont SO Ont OO Ont AO

Ont C T R A

AB s o a s SO o OO a AO

Opr CA Grant voke

σ σ

=

= = ∨ = ∨ =

= ≤ ≤ ≤ ≤

= ± ∈ ∧ ∈ ∧ ∈

=

( ) ( )( ) ( )( ) ( )( ) ( )

Subjects Domain: , , , , ,

Objects Domain: , , , , ,

, , , , ,Actions Domain:

, , , , ,

i j i j

i j i j

i j i j

j j i i

s o a s s s o a

s o a o o s o a

s o a a a s o a

s o a a a s o a

± ∧ ≤ → ±

± ∧ ≤ → ±

+ ∧ ≤ → +

− ∧ ≤ → +


MA(DL)2 Authorization Model

MA(DL)2 [Amini et al. – 2010]

An access control model based on MA(DL)2 Logic MADL: Multi-Agent Deontic Logic DL: Description Logic

Specification of ontology of subjects, objects, and actions using DL.

Policy specification and inference using MA(DL)2 logic


MA(DL)2 Authorization Model

Policy specification in two levels: Conceptual level and ground (individual) level

Types of policies: Permissions, Prohibitions, Obligations

Sample Policy for conceptual level: Visiting professors and students in CE can access CE’s resources

except theses. True → PE(authCE@CE)do((Student⊔ExtFacultyMember)⊓Visitor, ⊤Object \Thesis, Read)


Outline







What is Trust?

An entity is trustworthy if there is sufficient credible evidence leading one to believe that the system will meet a set of given requirements.

Trust is a measure of trustworthiness, relying on the evidence provided.

Central Questions in S.W.: How trustworthy is information found on the Semantic Web? How do I decide that it is trustworthy?


Basic Roles

Information Providers want that their information is used / believed might want to state their publishing intend (assertion, quote) are only willing to put a certain effort into publishing

Information Consumers want to use the information for different tasks have different subjective trust requirements have different subjective preferences for certain trust

mechanisms


Trust Mechanisms

Reputation-based Trust Mechanisms

Context-based Trust Mechanisms

Content-based Trust Mechanisms


Reputation-based Trust Mechanisms

Include rating systems and web-of-trust mechanisms

Are a well researched area

Have a general problem: They require explicit and topic-specific trust ratings high effort for information consumers


Context-based Trust Mechanisms

Use background information about the information provider e.g. his role in the application domain or his membership in a

specific group example policies: "Distrust everything a vendor says about his

competitor“ or “Trust all members of organization A.”

Information created in the information gathering process publishing and retrieval date and the retrieval URL information whether a signature is verifiable or not example policy: “Trust all information which has been signed

and is not older than a month.”


Content-based Trust Mechanisms

Use information content itself, together related information content published by other information providers.

Example policies: “Believe information which has been stated by at least 5

independent sources.” “Distrust product prices that are more than 50% below the

average price.” “Distrust people claiming that Texan cows are aliens.”


Requirements for a Semantic Web Trust Layer

Use of all trust relevant information available: Journalism’s WWWWW: who, what, where, when and why

Support different, subjective, task-specific trust policies Reputation-based Context-based Content-based

Keep in mind that many applications don’t require total trustworthiness.


Trust based on:

Digital Signatures XML Signature

W3C Candidate Recommendation (October 2000) Joint work with IETF

Develop a XML syntax used for representing signatures on digital content and procedures for computing and verifying such signatures.

XML Encryption Developing a process for encrypting/decrypting digital content

(including XML documents and portions thereof) an XML syntax used to represent the

(1) encrypted content and (2) information that enables an intended recipient to decrypt it.


Outline







Platform for Privacy Preferences (P3P)

Concerns about privacy of personal data on the Web

Platform for Privacy Preferences (P3P) candidate recommendation (December 2000).

Allows: Web service providers to make a formal statement of their

privacy policies. Users to set their privacy preferences manual or automatic comparison of preferences against policy.


Goals and Capabilities of P3P1.0

P3P version 1.0: A protocol designed to inform Web users of the data-collection practices of Web sites.

It provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy.

The P3P specification defines: A standard schema for data a Web site may wish to collect, known as

the "P3P base data schema" A standard set of uses, recipients, data categories, and other privacy

disclosures An XML format for expressing a privacy policy A means of associating privacy policies with Web pages or sites, and

cookies A mechanism for transporting P3P policies over HTTP


Goals of P3P1.0

The goal of P3P version 1.0 is twofold:

It allows Web sites to present their data-collection practices in

a standardized, machine-readable, easy-to-locate manner.

It enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may "opt-out" of or "opt-in" to.


References

“Computer Security, Art and Science”, Matt Bishop, Addison-Wesley, 2003

“Towards security and trust management policies on the Web”, Theo Dimitrakos, Brian Matthews, Juan Bicarregui, CLRC Rutherford Appleton Laboratory, Oxfordshire, OX11 0QX, UK.

“A Semantic Approach for Access Control in Web Services”, Mariemma I. Yagüe, José M. Troya, EUroWeb 2002.

“Agents, Trust, and Information Access on the Semantic Web”, Timothy Finin and Anupam Joshi, ACM SIGMOD, December 2002.

“KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement”, A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, J. Lott.

“W3C ACL System”, Eric Prud'hommeaux, http://www.w3.org/2001/04/20-ACLs.html, 2001.

“W3C recommendations for privacy, security, trust”, Brian Matthews, W3C UK Office at RAL, http://www.nr.no/coras/workshop_at_RAL/w3coffice-bmm.ppt, March 2002.


References (Cont.)

“A Policy Based Approach to Security for the Semantic Web”, Lalana Kagal, Tim Finin, Anupam Joshi, ISWC2003.

“Security for DAML Web Services: Annotation and Matchmaking”, Grit Denker, Tim Finin, Lalana Kagal, Massimo Paolucci, Katia Sycara, ISWC2003.

“Creating a Policy-Aware Web: Discretionary, Rule-based Access for the World Wide Web”, Weitzner, Daniel, Hendler, James, Berners-Lee, Tim and Connolly, Dan. In Web and Information Security, 2004.

“Security in Semantic Web”, Hassan Abolhassani, Leila Sharif, 2004.

“The Platform for Privacy Preferences 1.0 (P3P1.0) Specification”, http://www.w3.org/TR/P3P, April 2002.

“The Semantic Web Trust Layer”, Jeremy Carroll, Christian Bizer, Developers Day Talk at The Thirteenth International World Wide Web Conference (WWW2004), New York, May 2004.


Any Question... [email protected]
